Whitelisting problem
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5284
Printed Date: 23 February 2025 at 12:48am
Topic: Whitelisting problem
Posted By: MartinC
Subject: Whitelisting problem
Date Posted: 29 July 2005 at 7:50am
not sure if there is any way around this one..
we have some standard email addresses that we whitelist, jobs@, administrator@ and so on.
we also have the honeypot option switched on ... this seems to work
well, I've spotted some junk ones that get sent regularly
jerry@oursite, joe@oursite and have listed these.
I've noticed some spam getting through the last few days that I would
expect to get blocked - has honeypot email addresses being used and
also content that should be blocked.
however spammers are starting the smtp session with one of the
whitelisted addresses (I think BCC-ed) and then the rest of the message
is sent onto 5-10 other people.
any way I can stop this?
I don't mind the message going to the whitelisted users, but ideally would like to stop the spam to other users.
an example logfile looks something like this...
07/29/05 07:40:57:932 -- (1284) Resolving 218.98.202.108 - Not found
07/29/05 07:40:58:026 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:40:58:026 -- (1284) - MAPS search done... 521 The IP
218.98.202.108 is Blacklisted by sbl-xbl.spamhaus.org.
http://www.spamhaus.org/query/bl?ip=2 18.98.202.108
07/29/05 07:40:58:026 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.taylor@testaddress.com will be rejected
07/29/05 07:40:58:354 -- (780) Disconnect
07/29/05 07:40:58:573 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:40:58:573 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.wetherall@testaddress.com will be rejected
07/29/05 07:40:59:619 -- (1664) Disconnect
07/29/05 07:41:00:745 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:41:00:745 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.wynne@testaddress.com will be rejected
07/29/05 07:41:00:838 -- (1664) Connection from: 80.178.152.88 - Originating country : Israel
07/29/05 07:41:01:291 -- (1284) Mail from: OFBZJD@yahoo.com
07/29/05 07:41:01:307 -- (1284) 218.98.202.108 - Mail from: OFBZJD@yahoo.com To: j.young1@testaddress.com will be rejected
07/29/05 07:41:01:870 -- (1284) Bypassed all rules for:
jobs@testaddress.com from OFBZJD@yahoo.com ( Whitelisted EMail Address
To)
07/29/05 07:41:02:432 -- (1284) Bypassed all rules for: jonet@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:03:010 -- (1284) Bypassed all rules for: k.holden@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:03:604 -- (1284) Bypassed all rules for: k.mckelvie@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:04:151 -- (1284) Bypassed all rules for: k.wright@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:04:745 -- (1284) Bypassed all rules for: k.wrighv@testaddress.com from OFBZJD@yahoo.com
07/29/05 07:41:05:604 -- (780) Connection from: 222.140.195.81 - Originating country : China
07/29/05 07:41:07:667 -- (1284) EMail from OFBZJD@yahoo.com to
j.taylor@testaddress.com, j.wetherall@testaddress.com,
j.wynne@testaddress.com, j.young1@testaddress.com,
jobs@testaddress.com, jonet@testaddress.com, k.holden@testaddress.com,
k.mckelvie@testaddress.com, k.wright@testaddress.com,
k.wrighv@testaddress.com was queued. Size: 1 KB, 1024 bytes
07/29/05 07:41:07:682 -- (464) Sending email from OFBZJD@yahoo.com to
j.taylor@testaddress.com, j.wetherall@testaddress.com,
j.wynne@testaddress.com, j.young1@testaddress.com,
jobs@testaddress.com, jonet@testaddress.com, k.holden@testaddress.com,
k.mckelvie@testaddress.com, k.wright@testaddress.com,
k.wrighv@testaddress.com
|
Replies:
Posted By: Guests
Date Posted: 06 September 2005 at 6:47am
anyone? we are still having this problem, spam that should be blocked
getting through to us if the first recipient is set to be unfiltered in
Spamfilter.
usual scenario - spammer sends to us, they get blocked..
with this, spammer sends to us... gets blocked, tries again, gets
blocked, then sends to jobs@example.com - this is allowed through,
then any recipients after that seem to get through.
is this a known problem... something we can fix?
|
Posted By: LogSat
Date Posted: 06 September 2005 at 4:19pm
MartinC,
The original post fell thru the crack and went unanswered, sorry.
When an email arrives, and one of its recipient is whitelisted,
SpamFilter will skip all filtering rules for it and will deliver it. If
there are multiple recipients, they will be receiving it as well. There
is no "fix" for this as this is how SpamFilter works. It is not able to
"break apart" an email and forward it on to some recipients while
blocking and quarantining it for others. Sorry.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Guests
Date Posted: 07 September 2005 at 5:35am
thanks Roberto.. no worries.
its a bit of a pain since I'm seeing a bit of spam like this daily but
I guessed this would be normal behaviour with the other recipients
being part of the message as CC or BCCs.
still its a bit of a loophole if spammers spot this behaviour and
notice that postmaster and various other standard whitelisted names
allow them to mail anyone else in an organisation (e.g sales, accounts,
jobs, foi and similar).
am I the only person spotting this then?
is there any mileage in changing some of the smtp settings like max
recipients per connection... I'm guessing the spammers try and send to
a big list after the first accepted connection.
|
Posted By: Alan
Date Posted: 07 September 2005 at 1:25pm
Here's a thought, how about setting up a tag such as ":exclusive" so
that you can set a user to be whitelisted only if they are the only
recipient? This doesn't completely solve the problem and
introduces some new issues but does address the exploit that MartinC is
refering to.
(I am guess this is not going to be possible but worth asking at least)
|
|